Академический Документы
Профессиональный Документы
Культура Документы
1 Introduction
It is well known that wireless networks have serious privacy problems. This is
mainly because of the broadcast nature of the radio channel that allows all
stations in proximity of the sender to overhear the frames sent. Even if network
devices make use of encryption algorithms, confidentiality is usually provided for
the data field only, whereas the header/tail fields remain in plain text. Therefore,
given that during the normal activity there are frequently packets sent using
broadcast address as destination, an eavesdropper can receive and process them
without any effort and thus can obtain information about the sender. This, joined
to the fact that wireless devices usually have a fixed address, gives the attackers
the possibility to link device address to user identity or to device position as well
to the type of application utilized.
In wireless sensor networks (WSNs) the above problems are amplified and new
issues arise. In fact, WSNs are based on the wireless multihop communication
paradigm and therefore, eavesdropping attacks can be accomplished more easily.
Furthermore, WSN applications are pervasive by nature and as a consequence,
a lot of user sensible information can be stolen by attackers.
In the recent past a lot of attention has been devoted to the key distribu-
tion in the WSN cryptography domain. Accordingly, several solutions have been
proposed for pre-distributing keys or for reducing their size.
I.F. Akyildiz et al. (Eds.): NETWORKING 2007, LNCS 4479, pp. 215–226, 2007.
c IFIP International Federation for Information Processing 2007
216 S. Armenia, G. Morabito, and S. Palazzo
The panda-hunter game is a well known reference scenario utilized for the study
of source location privacy in WSNs [4,3].
Suppose that a set of sensor nodes has been deployed by the Save The Panda
Organisation, in a random way within a large area in order to study and monitor
Analysis of Location Privacy/Energy Efficiency Tradeoffs in WSNs 217
panda habit. Sensor nodes are able to detect panda’s presence. At any time, while
the panda freely moves, there is always a sensor node, called source node, that
detects panda’s position. Such an observation must be periodically reported to
a sink node, via multihop routing techniques. In this way the current position of
the panda is approximately the position of the current source node. Thus, when
the sink node receives a message from the source node, it will know the panda
position.
We suppose that transmissions are encrypted, so the source node ID field
cannot be read by attackers. Moreover we assume that relationship between
node ID and node location is known only by the sink node.
In the area there is a hunter as well, with the role of adversary. He aims to
catch the panda, thus he is an enemy from the Save The Panda Organisation
standpoint. The hunter is not able to decrypt messages therefore, he cannot
learn, at least not directly, location of the source node, but in order to get the
worst case we considered the hunter, as in [3], non malicius, i.e. does not interfere
with proper function of the network, device rich, i.e. he is equipped in such a
way he can measure signal strenght and angle of arrival of any message, resource
rich, i.e. he has unlimited amount of power, and informed, i.e. he knows location
of the sink, and the network structure and protocols.
Using his devices and resources the hunter can analyse messages at RF level,
so he can try to capture panda by back-tracing the routing path used by messages
until the source.
As an example, consider the sensor network represented in Figure 1. There
are N = 11 sensor nodes n0 , n1 , ..., n10 , with n0 representing the sink.
In Figure 1 we show the shortest path routing tree connecting each sensor node
ni to the sink n0 , i.e., node n0 is the root of the tree. If the hunter is located near
node n6 and detects radio activity, then a node in the set {n7 , n8 , n9 , n10 } is the
source node. Instead, if no activity is detected, then the panda is near one of the
remaining nodes, i.e., a node in the set {n1 , n2 , n3 , n4 , n5 } is the source node.
218 S. Armenia, G. Morabito, and S. Palazzo
Observe, that in any case the hunter splits the network and obtains information
about the panda location.
This leads to a strict connection between location privacy and routing protocol
in a WSN. Routing protocols must be privacy-aware in order to save, or at least
prolong, panda’s life.
In order to model random routing we define the best next relay Ψ (ni ) as the
neighbour of ni which is closest to the sink, i.e., it is a node that satisfies the
following relationship
Let us stress that even if several nodes may satisfy the relationship in eq. (1),
for each ni only one node ψ(ni ) is selected. Accordingly, if shortest path routing
is utilized [Q][i,j] is equal to 1 if nj is the best next relay, i.e., if nj = ψ(ni ), and
is equal to 0, otherwise.
We define as p-random routing a routing algorithm which chooses the best
next relay with probability p and any other neighbor node with equal probability.
Accordingly, the routing matrix of a p-random routing protocol is
⎧
⎪
⎪
p if nj = ψ(ni ) and φ(ni ) > 1
⎨ (1−p)
if nj = ψ(ni ) and φ(ni ) > 1
[Q]i,j = φ(ni )−1 (2)
⎪
⎪ 1 if nj = ψ(ni ) and φ(ni ) = 1
⎩
0 otherwise
3 Performance Analysis
We define and derive the location privacy loss when p-random routing is applied
in Sections 3.1. Then, in Section 3.2, we will derive the corresponding energy
consumption. Such performance metrics will be evaluated as a function of the
probability p. This allows us to evaluate appropriate tradeoffs between privacy
loss and energy consumption.
the uncertainty on S before and after knowing X. In the context of the informa-
tion theory the measure of uncertainty of a random variable can be evaluated as
the entropy of such a variable, H(S).
In [1] the loss of privacy is calculated as:
ρ = 1 − 2−I(S,X) (3)
M−1
H(S) = − pS (nm ) log2 [pS (nm )] (4)
m=0
where pS (nm ) represents the probability that the source node is nm , whereas
the uncertainty on S given X is
N
M−1 −1
H(S|X) = − pSX (nm , xn ) log2 [pS (nm |xm )] (5)
m=0 n=0
where pSX (nm , xn ) represents the joint probability that S assumes the value nm
and X assumes the value xn , whereas pS (nm |xn ) represents the probability that
S assumes the value nm given that X assumes the value xn .
Obviously, the probability pS (nm |xn ) can be calculated as
pSX (nm , xn ) pSX (nm , xn )
pS (nm |xn ) = = M−1 (6)
pX (xn ) i=0 pSX (ni , xn )
Suppose that all locations are equiprobable, i.e., pS (nm ) = 1/M for any nm .
Accordingly, the uncertainty on S given in eq. (4) can be calculated as H(S) =
log2 M .
Also, suppose that the hunter attacks the WSN at node n∗ . Following the
attack, the hunter detects radio activity if the path between the source node
and the sink passes through the node n∗ and viceversa. Accordingly, X can
assume only two values:
0 if there is no radio activity at node n∗
X= (7)
1 if there is radio activity at node n∗
M−1 1
1
H(S|X) = pSX (nm , x) log2 (8)
m=0 x=0
pS (nm |x)
In eq. (8) we need to calculate the probability pSX (nm , x) which can also be
used in eq. (6) to calculate pS (nm |xn ). The probability pS (nm |xn ) is given by
The probability in the sum in the right handside of eq. (11) is the probability
that the packet generated by nm does not visit node n∗ and does not reach the
sink until hop (v − 1), and, finally, at the v-th hop visits node n∗ .
This can be calculated as:
∗
pXV (1, v|nm ) = w(m) · Gv · [w(n ) ]T (12)
where:
– w(j) is an array of M − 1 elements, w(j) ∈ M−1 , all set equal to zero, with
the exception of the j-th element which is equal to 1, i.e.,
0 if i = j and 1 ≤ i ≤ M − 1
[w(j) ]i = (13)
1 if i = j and 1 ≤ i ≤ M − 1
We call K the sum in the right hand side of eq. (16). We can easily obtain
that K is a diagonal matrix whose generic element is
1/(1 − βi ) if i = j
[K][i,j] = (17)
0 otherwise.
where E{Z} represents the average value of Z and pZ (z) represents the proba-
bility that the number of hops between the source and the destination is equal
to z. The probability pZ (z) is the probability that a packet does not reach the
sink in (z − 1) hops and finally arrives at the sink at the z-th hop. Therefore, it
is easy to show that pZ (z) can be written in compact form as
pZ (z) = π (S ) · P z−1 · ω T (20)
where
2
Observe that c can also take possible retransmissions into account. In this sense,
analysis of c is simple and not reported in this paper for space constraints.
Analysis of Location Privacy/Energy Efficiency Tradeoffs in WSNs 223
– π (S ) is an array of (M − 1) elements, π (S ) ∈ M−1 . Its generic element is
given by:
π (S ) = pS (nm ) = 1/M with 1 ≤ m < M . (21)
m
In eq. (24) the matrix H is a diagonal matrix and its generic element is
1/[(1 − λi )]2 if i = j
[H][i,j] = (25)
0 otherwise
4 Numerical Examples
In this section we apply the proposed analytical framework to describe how
this can be used to evaluate the tradeoffs between location privacy and energy
efficiency in WSN.
We consider a network of M sensor nodes uniformly distributed on a squared
area of size 1 km × 1 km. We assume that all sensor nodes have coverage radius
equal to R = 200 m. Once position of sensor nodes is set and the value of
the parameter p, characterizing the random routing, is known, it is possibile to
construct the routing matrix Q as given in eq. (2).
Starting from the routing matrix Q it is possible to evaluate the privacy loss
γ and the average energy consumption as reported in Section 3.
All values in the following figures have been evaluated as the average of the
results obtained in 20 cases. For each case, a new distribution of sensor nodes has
been generated. Moreover, for each case individual routes are chosen considering
the same sink node and a source node chosen in a random fashion based on
uniform distribution.
224 S. Armenia, G. Morabito, and S. Palazzo
Fig. 3. Privacy loss, γ, versus the probability p for different values of the number of
sensor nodes, i.e., M = 50 and M = 100
Fig. 4. Normalized energy consumption /c versus the probability p for different values
of the number of nodes, i.e., M = 50 and M = 100
Fig. 5. (Upper plot:) Average energy consumption versus privacy loss γ and (Bot-
tom plot:) The value of the probability p versus the corresponding privacy loss γ
number of sensor nodes M , the lower the energy consumption. This is because,
if there are more nodes, it is likely to find better next relays than in case there
are few nodes.
To highlight the tradeoff between privacy loss and energy efficiency, in
Figure 5 we show two plots. In the upper plot we represent the normalized
energy consumption, /c, versus the corresponding value of the location privacy
loss, γ. As expected, the privacy loss increases as the energy consumption de-
creases. This figure has been obtained considering M = 100 nodes and can be
utilized by the designer to select an appropriate tradeoff between energy effi-
ciency and privacy. Once a point in the curve is chosen, the designer can use
the bottom plot to obtain the corresponding value of p that gives the selected
performance.
5 Conclusion
Acknowledgments
This paper has been partially supported by European Commission under con-
tract DISCREET (FP6-2004-IST-4 contract no. 27679).
226 S. Armenia, G. Morabito, and S. Palazzo
References
1. D. Agrawal, C. Aggarwal. On the Design and Quantification of Privacy Pre-
serving Data Mining Algorithms. Proc. of the Twentieth ACM SIGACT-SIGMOD-
SIGART, Santa Barbara, California, USA. May 2001.
2. M. Anand, Z. G. Ives, I. Lee. Quantifying Eavesdropping Vulnerability In Sensor
Networks. Department of Computer & Information Science, University of Pennsyl-
vania, 2005.
3. P. Kamat, Y. Zhang, W. Trappe, C. Ozturk. Enhancing Source-Location Pri-
vacy in Sensor Network Routing. Proc. of International Conference on Distributed
Computing Systems (ICDCS 2005), Columbus, OH, USA. June 2005.
4. C. Ozturk, Y. Zhang, W. Trappe, M. Ott. Source-Location Privacy for Net-
works of Energy-Constrained Sensors. In Proc. of IEEE IEEE Workshop on Soft-
ware Technologies for Embedded and Ubiquitous Computing Systems (WSTFEUS),
Vienna, Austria. May 2004.
5. Y. Xi, L. Schwiebert, W. Shi. Preserving Source Location Privacy in Monitoring-
Based Wireless Sensor Networks. Department of Computer Science, Wayne State
University, 2006.
6. DISCREET Project, State of the art Deliverable. http://www.ist-discreet.org/
Deliverables/D2103.pdf
7. S. Haykin. Communication Systems, 4th edition.